Multiple attackers have been observed opportunistically weaponizing a patched critical security vulnerability affecting multiple Zoho ManageEngine products since January 20, 2023.
tracked as CVE-2022-47966 (CVSS score: 9.8), a remote code execution flaw allows an unauthenticated attacker to take complete control of an affected system.
24 different products are affected by this issue, including Access Manager Plus, ADManager Plus, ADSelfService Plus, Password Manager Pro, Remote Access Plus, and Remote Monitoring and Management (RMM).
In a technical advisory shared with The Hacker News, Bitdefender’s Martin Zugec said, “The use of an older third-party dependency, Apache Santuario, for validating XML signatures could lead to unauthenticated remote code execution. will be possible,” he said.
Exploitation efforts are said to have begun a day after penetration testing firm Horizon3.ai released a proof of concept (PoC) last month, according to a Romanian cybersecurity firm.
The majority of attack victims are located in Australia, Canada, Italy, Mexico, the Netherlands, Nigeria, Ukraine, the United Kingdom, and the United States.
The main goal of the attacks detected so far is to deploy tools on vulnerable hosts such as Netcat and Cobalt Strike Beacon.
Some intrusions utilized the initial access to install AnyDesk software for remote access, while several others attempted to install the Windows version of the ransomware. Buti.
Additionally, there is evidence of targeted espionage, with threat actors exploiting ManageEngine flaws to deploy malware capable of executing next-stage payloads.
“This vulnerability is a stark reminder of the importance of keeping systems up-to-date with the latest security patches and employing strong perimeter defenses,” said Zugec.
“Attackers don’t need to hunt around for new exploits and new techniques when they know that many organizations are vulnerable to old exploits due to lack of proper patch management and risk management. “
